How can I check when I make a detection rule if another rule has been activated? That is, if I want to make a rule that verifies an incident I would like to check if another rule that is strictly related to IDS has already been activated.
you can create rules that point at the signals index .siem-signals-default-*
thing is that query would only be using that index. It is possible to create multiple alerts based on various indexs then create a rule the runs against the .siem-signals-default-*
name the rules with a prefix then use threshold with .siem-signals-default-* to alert of x events with that prefix alert in x minutes.
fwiw, you don't have to do .siem-signals-default-*, you should only have to use .siem-signals-default when you're in the default space as that is an alias which will access all the ILM indexes correctly. If you are in a different space it would be .siem-signals-${space-id} where ${space-id} is the space id you have created.
Please let me know if you are finding this to be a problem and are having to resort to using .siem-signals-default-* with a glob pattern. We made the siem signals detection work with ILM and aliases.
If you are reaching across spaces then it would be .siem-signals* or siem-signals-${space-id1},siem-signals-${space-id2} when setting up Kibana indexes with regards to dashboards. Then just setup your permissions per space according to your use cases.
With all of that said you could still use a glob like mentioned above, it shouldn't hurt anything major unless you have specific use cases and changes to the existing ILM policies and how you're aging out closed signals.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.